COMPAQ Security Advisory SSRT1-85U Tru64 UNIX - xntpd overflow

[Elias Levy <aleph1 () SECURITYFOCUS COM>]

From: "Boren, Rich" <Rich.Boren () COMPAQ com>
Subject: COMPAQ Security Advisory SSRT1-85U  Tru64 UNIX - xntpd overflow
Date: Wed, 2 May 2001 21:26:44 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

               **       NO RESTRICTIONS      **
               **      FOR DISTRIBUTION     **

 ====================================================
 TITLE:        SSRT1-85U - xntpd potential buffer overflow
 SOURCE:   Compaq Computer Corporation,
                     Software Security Response Team
 ====================================================
 Date:  02-MAY-2001

 SEVERITY:  HIGH

 PROBLEM STATEMENT SUMMARY:

  Compaq continues to take a serious approach to the quality
  and security of all its software products and makes every
  effort to address issues and provide solutions in a timely
  manner. In line with this commitment, Compaq is responding
  to recent concerns of a potential buffer overflow with xntpd.

  The Network Time Protocol daemon for Compaq Tru64 UNIX
  contains a potential buffer overflow (even though it would be
  difficult to exploit) that may allow unauthorized access to bin
  privileges.

 IMPACT:

  Compaq's Tru64 UNIX  V4.0d, V4.0f, V4.0g, V5.0, V5.0a, V5.1

 SOLUTION:

  Compaq Tru64 UNIX engineering has provided a fix for this
  potential problem.

  NOTE: The solutions will be included in future releases of
  Tru64 UNIX aggregate patch kits. Until that has happened
  the kits identified should be reinstalled accordingly after an
  upgrade to any affected version listed.

   The patches identified are available from the Compaq FTP site
   http://ftp1.support.compaq.com/public/dunix/ then choose the
   version directory needed and search for the patch by name.
   Please review the applicable readme and install files prior
   to installation.

   Patches:
  V4.0D:   DUV40D16-C0058302-10580-20010430.tar
  V4.0F:    DUV40F16-C0042002-10579-20010430.tar
  V4.0G:   T64V40G16-C0003502-10577-20010430.tar
  V5.0:      T64V5016-C0006102-10575-20010430.tar
  V5.0A:   T64V50A16-C0010402-10574-20010430.tar
  V5.1:      T64V513-C0027202-10573-20010430.tar

   NOTE: A patch for Compaq Tru64 UNIX V4.0e is not available
   as it is no longer supported by Compaq. If you require a patch
   for V4.0e please contact your normal Compaq Services channel.

  Compaq appreciates your cooperation and patience. We regret any
  inconvenience applying this information may cause.

  As always, Compaq urges you to periodically review your system
  management and security procedures.  Compaq will continue to
  review and enhance the security features of its products and work
  with customers to maintain and improve the security and integrity
  of their systems.

 (c) Copyright 2001 Compaq Computer Corporation.  All rights reserved

   To subscribe to automatically receive future NEW Security
   Advisories from the Compaq's Software Security Response Team
   via electronic mail,

   Use your browser select the URL
   http://www.support.compaq.com/patches/mailing-list.shtml
   Select "Security and Individual Notices" for immediate dispatch
   notifications directly to your mailbox.

   To report new Security Vulnerabilities, send mail to:

      security-ssrt () compaq com
 =============================================
  COMPAQ AND/OR ITS RESPECTIVE SUPPLIERS MAKE
  NO REPRESENTATIONS ABOUT THE SUITABILITY OF
  THE INFORMATION CONTAINED IN THE DOCUMENTS
  AND RELATED GRAPHICS AND/OR SOFTWARE PUBLISHED
  ON THIS SERVER FOR ANY PURPOSE. ALL SUCH
  DOCUMENTS AND RELATED GRAPHICS ARE PROVIDED
  "AS IS" WITHOUT WARRANTY OF ANY KIND AND ARE
  SUBJECT TO CHANGE WITHOUT NOTICE. THE ENTIRE RISK
  ARISING OUT OF THEIR USE REMAINS WITH THE RECIPIENT.
  IN NO EVENT SHALL COMPAQ AND/OR ITS RESPECTIVE
  SUPPLIERS BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL,
  INCIDENTAL, SPECIAL, PUNITIVE OR OTHER DAMAGES
  WHATSOEVER (INCLUDING WITHOUT LIMITATION,
  DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS
  INTERRUPTION, OR LOSS OF BUSINESS INFORMATION),
  EVEN IF COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY
  OF SUCH DAMAGES.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOvDA+KgxZJFjvD74EQIcQgCfTZEG+9t09c6DPEZB/Ez/VehVI5sAnAhQ
X4McRxZlZeJ27lWFf6ndo+PV
=FExB
-----END PGP SIGNATURE-----